Bug #1753: cygwin: after pcap, engine "freezes" for a long time before exiting - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #1753

closed

cygwin: after pcap, engine "freezes" for a long time before exiting

Added by Marko Stojanovic about 8 years ago. Updated over 4 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Target version:

Affected Versions:

Effort:

Difficulty:

Label:

Description

Platform : Tested on 2012, 64bit version.
Configuration : 8GB ram, 8 core Xeon CPU , run as a virtual machine on VMWare ESXi host
Suricata versions : Tested on Suricata 3.0.1RC1

Ran from a command line with Administrator privileges with next command parameters :

"suricata --runmode=single -v -c suricata.yaml -r ..\Users\Administrator\Downloads\maccdc2012_00013.pcap"

After the scan completes ( I noticed performance boost in comparison with 2.0.11 with single runmode option, tnx Victor and Peter), and afterscan info is displayed, at one point the process will freeze for some time, and then it will finnish. While it's "frozen", Memory and CPU time is still consumed as like it's doing something.

Full output is in the attachment,but the most important part is displayed (with comments inserted ) :

ENGINE STARTS
30/3/2016 -- 19:47:57 - <Notice> - all 1 packet processing threads, 4 management threads initialized, engine started.
30/3/2016 -- 19:47:57 - <Info> - No packets with invalid checksum, assuming checksum offloading is NOT used
30/3/2016 -- 19:49:34 - <Info> - pcap file end of file reached (pcap err code 0)
30/3/2016 -- 19:49:34 - <Notice> - Signal Received. Stopping engine.
ENGINE ENDS ( less than 2 minutes of scanning a 1GB pcap file )

AFTER SCAN STATS START SHOWING
30/3/2016 -- 19:52:28 - <Info> - 0 new flows, 0 established flows were timed out, 0 flows in closed state
30/3/2016 -- 19:52:28 - <Info> - preallocated 1024 packets. Total memory 2861056
30/3/2016 -- 19:52:28 - <Info> - time elapsed 271.217s
30/3/2016 -- 19:52:28 - <Info> - 1002314 flows processed
30/3/2016 -- 19:52:47 - <Notice> - Pcap-file module read 3190917 packets, 1022686575 bytes
30/3/2016 -- 19:52:47 - <Info> - Stream TCP processed 3056562 TCP packets
30/3/2016 -- 19:52:47 - <Info> - Fast log output wrote 1194 alerts
30/3/2016 -- 19:52:47 - <Info> - HTTP logger logged 2897 requests
30/3/2016 -- 19:53:05 - <Info> - ippair memory usage: 334144 bytes, maximum: 16777216
AND HERE SOMETHING HAPPENS, 12 MINUTES OF NOTHING
30/3/2016 -- 20:05:02 - <Info> - host memory usage: 326144 bytes, maximum: 16777216
30/3/2016 -- 20:05:02 - <Info> - cleaning up signature grouping structure... complete
PROCESS EXITS

Files

SuricataOUT.txt (6.56 KB) SuricataOUT.txt

Marko Stojanovic, 03/30/2016 01:17 PM

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #1753

cygwin: after pcap, engine "freezes" for a long time before exiting

Updated by Marko Stojanovic about 8 years ago

Updated by Victor Julien about 8 years ago

Updated by Andreas Herz over 7 years ago

Updated by Victor Julien over 7 years ago

Updated by Victor Julien about 7 years ago

Updated by Andreas Herz almost 5 years ago

Updated by Victor Julien over 4 years ago